Cisco CCNA 200-301 – ACLs – Access Control Lists

  1. Introduction

Section you’ll learn about ACLs access control lists. What an ACL does is it identifies traffic that’s going through the router, and the router can then take an action based on that. The kind of things that it will look at to identify the traffic is source and destination, IP addresses or port numbers. And what ACLs have traditionally been used for is for securing traffic going through the router. For example, let’s say that we have got the sales IP subnet 10100 and they’re in VLAN ten, and we’ve got the account subnet and VLAN they’re 1020 O and VLAN 20. And there’s no need for the sales PCs to be sending traffic to accounts. In fact, we’re worried that if that traffic was allowed, then maybe it could cause issues. It’s a security concern.

So we can segment the two sets of users at layer two. With our VLANs. We’re already segmented at layer three by the IP subnets, but by default a router will route traffic between subnets that it knows about. If you want to block traffic between subnets at layer three and also looking at layer four information, you can use an ACL for that. So in that example, we would use the ACL to block traffic from the ten 1010 O subnet to the 1010 20 subnet. So that’s the main thing. What we usually do with ACLs, but they’re not just used for securing traffic going through the router. Whenever we’ve got any kind of software policy where we want to identify traffic and then take an action based on that, ACLs are one of the most common ways to do that. For example, let’s say we want to configure a quality of service policy. Let’s say that we want to give our voice traffic coming from our IP phones preferential treatment going through the router.

Well, we can look at the traffic coming from our IP phones and we can then identify that based on an ACL and then use that in our QoS policy. Or maybe we need to translate private IP addresses on the inside to public IP addresses on the outside with a Nat rule network Address Translation. Again, we can use an ACL to specify the source IP addresses of those private hosts on the inside. So those are the things that you can do within ACL. In this section we’re going to be primarily looking at it from the point of view of security traffic going through the router, but we will look at QoS and network Address translation in later sections as well.

Okay, so let’s walk through how we’re going to break it down. In this section we’ve got an ACL overview to start with, and then I’ll explain the different types of ACLs which are standard, extended, and named. I’ll walk through the ACL syntax. There’s nothing too complicated about it, but the command is quite long. So we’ll break it down step by step. We’ll go through each of the different keywords that make up the command. Then I’ll talk about the ACL operations. There’s a few things about ACLs that are not actually that intent intuitive. And if you don’t understand how they work, it can really confuse you. It can be difficult to understand what’s going on with the router because there’s a few gotchas with ACL. So I’ll explain what they are later on in the section. Okay, so access control lists. Let’s get started.

  1. Access Control Lists Overview

In this lecture you’ll learn about ACLs access control lists. An ACL identifies traffic based on characteristics of the packet that’s going to go through the router, such as its source IP address and or its destination IP address and or the layer four port number. The router or switch can take an action then based on the result of the ACL. ACLs are supported on both routers and switches. But if I say router or switch or router and switch every time in this section, I’ll be seeing it 500 times a lecture. So I’ll just refer to routers, but whenever I say routers it applies to switches as well. The original use of ACLs was a security feature which helped decide if traffic should be allowed to pass through the router or not. And if you talk to somebody about ACLs, that’s still normally the first thing that they will think about. By default a router will allow all traffic to pass between its interfaces and by default ACLs are not applied. But when ACLs are applied, the router identifies traffic and then decides if it will be allowed or not.

But ACLs are not just used for security nowadays, they’re also used in many other software policies when traffic has to be identified, for example to identify traffic, to give better service to in a QoS Quality of service policy, or to identify traffic to translate to a different IP address and a Nat network address translation policy. We’ll be covering both QoS and Nat in later sections and you’ll see how to use ACLs to control them. Then Access Control lists are made up of Access Control entries Aces, which are a series of permit or deny rules. And each ace is written in a separate line that makes up the ACL. So here’s an example of an Access Control entry. The command syntax is Access list to start, then a number such as 100 there is actually special meaning to the numbers that we’ll get to in the next lecture.

Then the action which will be a permit or deny, then the protocol such as TCP or UDP or ICMP. Then we get to the source section and there is a field for the IP and then for the Wild Card Mask, then a qualifier such as less than or greater than or equal and then resource port number. Then the next section is about the destination. We’ve got the destination IP address, the destination wild card mask, a qualifier again and then the destination port. So that is the syntax of an Access Control entry. And when we’re writing our Access Control list, it’s made up of multiple Access Control entries. So you can see here is an example of an ACL. We’ve got Access list 100 deny TCP from 1010 o.

So that would be the particular host when the source part number is greater than 49151 and it’s going a destination ten dot, ten dot, 50 dot, ten o dot o dot o. So it’s going a particular host again and when the destination part number is 23. And then we’ve got three other access control entries and all these together make up the rules that control the traffic that’s going to be allowed or not allowed going through the router. Okay, so that is an overview of access control list. In the next lecture we’re going start digging deeper into the syntax of the ACL, starting with that number at the start, 100 in this example and what that means. See you in the next lecture.

  1. Standard, Extended and Named ACLs

You learn about standard, extended and named ACLs. And we’re going to start looking deeper into the syntax of our access control list. So you saw the slide in the last lecture, that’s the format of the command. When we’re building our ACLs at Global Config, we start with Access List, and then we have a number for the access list, the different numbers. If it’s numbered from one to 99, it’s an IP standard Access List. If it’s from 100 to 199, then it’s an extended list and we’ll get to the expanded in a second. So the original implementation was standard and extended numbered ACLs. Standard ACLs reference the source address only, so that’s all that the router is caring about when it processes the ACL is the source address. It’s not looking at the destination address, the protocol, the port number, anything like that. Extended ACLs are more granular. However, they don’t just check the source address, they can also check the protocol, like is it TCP or UDP, the destination address and the port number. So you just saw on the last slide, the ranges for this are if it’s numbered from one to 99, it’s always a standard ACL.

If you number it from one to 99, you can’t put information in there like the destination IP address. If it’s numbered from 100 to 199, it’s always an extended ACL, which does allow you to put in the more granular information. Now, Cisco improved this later on. So that was the original implementation with standard was from one to 99, extended was from 100 to 199. Now, it’s not likely, but it is possible in really large environments like service providers, and if they’ve got lots of sub interfaces that they could run out of ACL numbers, so a normal enterprises wouldn’t happen, but it is feasible. So because of this, Cisco expanded the range and standard is now not just one to 99, they also included 1300 to 1999 as well. So you can use any of those numbers for a standard ACL.

The extended ACL numbers were also expanded as well. It doesn’t just include 100 to one nine nine, it also includes 2000 to 2699 as well. Now, so here’s an example of a standard ACL. We’ve got access list one deny ten. 1010 o. So the wildcard mask here would mean that we’re just looking for the particular host ten 1010. And then the second line is access to list one permit ten 1010, O 255. So what this ACL is doing is it’s denying the one particular host ten 1010. It’s permitting everything else on the ten 1010 or 24 network. The default wildcard mask for a standard ACL is O or. So this is a wild card. So that would equate to a subnet mask of two 5525-525-5255, meaning it’s an individual host address. So if we look back, we said the first line access list one deny 1010 O because odoro is the default. We could have just said access list one deny 1010 means the same thing. Don’t forget to enter the wild card when you’re specifying an IP subnet, though not just an individual host, the command line will allow you to enter the command.

For example, access list one deny 10100 with no world card mask. But this obviously would not match anything then and it would be an error. So for when you are specifying a subnet, I’ll go back a slide again. The second line was access list one, permit 10 10 00:25. Remember to put the wild card mask in when you’re specifying a subnet, but it’s going to default to a 32 and it’s not going to work. Okay, so that was a standard ACL where we’re just looking at the source address with an extended ACL, we can have much more granular information in there.

So an example of an extended ACL, again, at Global Config, we’ve said access list 100 deny TCP from ten 1010 wildcard Masko. So we’re looking for the host where the source part number is greater than 49151 going to a destination address of 1010 50 ten with a wildcard mask of O. So looking for the host again and equals a destination port number of 23. Telnet, which you’ll also learn about later, uses 23 as its destination part. So this would be denying telnet traffic from the host ten 1010 going to the host 1010 50 ten. Then the next line access list 100 permit TCP 10100 with a wild card mask of 0255. Source part is greater than 49151 going to a destination host of 1010 50 ten equals telnet.

So this is a very similar example to the standard ACL that we had before. But the standard ACL was just saying block all traffic from ten 1010 and allow everything from the ten 1010 00:24 subnet. Here we’re getting more granular. We’re saying it’s not just all traffic coming from there, it’s telnet traffic which is going to a particular host. Okay? So those were examples of standard and extended ACLs. The extended ACL does not have a default wildcard mask. So the standard ACL, the default wildcard mask is a 32. The extended does not have a default. So if you put in an extended ACL and you don’t specify a blue card mask, it will give you an error message. So you can see that’s what I did here, I said access list 150 deny TCP 1010 and then I went straight onto the source port without specifying the wild card mask. If you do that, the command line will throw back an error saying that there’s invalid input. It shows you where it’s because I didn’t enter the wild card.

Okay? So that was standard and extended HLS. The last type of Htl we have was another improvement. So originally we had standard ACLs, then we had extended ACLs, then standard and extended the ranges were expanded and then after that named ACLs came out. So you can now reference an ACL either by a number or by a name named ACLs. Begin with the command IP access list. At Global Config instead of access list, which is for numbered ACLs. So if we go to Global Config, we say IP Access List, and then a question mark to check the syntax. The next command we say whether this is going to be an extended or a standard ACL. The syntax for named ACLs is very similar but slightly different with numbered ACLs. So let me show you the numbered ACL. Again.

With the numbered ACL, it always starts with Access List and then the number, and then it’s going to be a denied entry or a permit entry. With named ACLs, the syntax is a little bit neater and tidier, so it starts IP Access List. Then you say whether it’s standard or extended, and then you give it a name. Here I’ve named it Flatbox Demo. Then you say your entries. So I’ve denied ten 1010. I’ve permitted ten 1010 or 25. So when you use a named Htl, when you put the first line in, when you create the named ACL, it then goes into a submenu where you configure the rules in that ACL. When you do a numbered ACL, it’s different in that you always do it at Global Config, and you have to say Access List and the number at the start every time. So, very similar configuration named ACL. It’s the newer way of doing it. It’s what’s more commonly used now. It’s a little bit tidier configuration. Okay, so that was our standard, our extended ACL. So one other thing I want to tell you I nearly forgot is about that source port number, because you were maybe wondering about that.

So here’s our extended access list example. And you can see in sourceport I’ve specified is greater than 49151. The reason I’ve used this is that with modern versions of Windows from Windows Seven and later, it uses a random source port number whenever it’s sending traffic out. But it begins with the number 49152. It can be 49152 or higher, but not up to a certain number in the range. It used to be greater than 1024 with older versions of Windows like XP, but it’s a bit of a higher number now. So I just thought I’d mention that in case you were wondering where that source port number came from. With the ACLs, it’s not so common to care about the source port number because that can change, but the destination port number will be fit based on the application.

Okay, that’s everything I needed to tell you in this lecture. See you in the next one where we’ll start going through the rest of the syntax.

img